Hi everyone,
I’ve published my official GPG public key for verifying all of my signed software releases. You can download it RIGHT HERE.
Why verify?
- Authenticity: Ensures that the software you download actually came from me.
- Integrity: Guards against tampering or corruption during download.
How to import and use the key
- Import the key:
curl -sL https://example.com/.well-known/myapp-devkey.pub.asc | gpg --import
- Verify a signature:
gpg --verify paulscode.asc raspiblitz-...img.gz
- Trust the key: (optional)
gpg --edit-key D5616558A7068A973E3F3CC2766662BB2575C083
> trust
> 5 (ultimate)
> quit
For those who are less comfortable around a terminal, I recommend using Sparrow:
- Tools > Verify Download
- For “Release File”, select the application file (e.g. raspiblitz-…img.gz)
- For “Signature”, select the .sig file (e.g. raspiblitz-…img.gz.sig)
- For “Public Key”, select the .asc public key mentioned above (paulscode.asc)
If it checks out, you should see everything checked:
✓ Signed By: Paul Lamb (https://paulscode.com) <paul@paulscode.com>
✓ Release Hash: <matches signature> or "no hash required, signature signs release directly"
✓ Verified: Ready to install raspiblitz-…img.gz